SBS Exchange Certificate Expired

KB ID 0000535

Problem

When you setup SBS2008 (and Exchange 2007) it creates and uses a self signed certificate, which is fine. But by default it only lasts two years. The best option is to buy a proper certificate, but if you simply want to generate a new one here’s how to do it.

Solution

1. Here you can see your certificate has expired.

2. Normally you need to access your certificate services web enrolment console to carry this procedure out. But when you navigate to https://localhost/certsrv you will probably see this:

Server Error in Application “SBS WEB APPLICATIONS”

Note: If web enrolment is installed, and you still cant access certificate services (CertSrv) then click here

3. You are seeing this error because certificate services might be installed, but the “Certificate Authority Web Enrolment” role service is not, you can add it from server manager.

4. Select it and follow the on screen prompts > Go and have a coffee.

5. Now you should be able to access the web front end.

6. To get a certificate we need a certificate request, you can write the powershell yourself like so:

[box] New-ExchangeCertificate -GenerateRequest -Path c:mail_yourpublicdomianname_co.csr -KeySize 2048 -SubjectName “c=gb, s=Your State COunty, l=Your City, o=Your Org, ou=Your Department, cn=mail.yourpublicdomianname.com” -PrivateKeyExportable $True [/box]

OR simply go here and let the good folk at Digicert do the heavy lifting for you.

7. Now you have the code, generate the request, on the Exchange server >  Start > All Programs > Microsoft Exchange Server 2007 > Exchange Management Shell > Execute the command you copied above.

8. This will dump the request on the C: drive (because in your command above you set the path to C:mail_yourpublicdomianname_co.csr) Locate it and open it with Notepad. Then select and copy ALL the text (copy as shown no extra spaces etc.)

9. If you have closed it down log into certificate services web access. Select “Request Certificate” > We will be submitting an advanced certificate request.

10. “Submit a certificate request by using………..”.

11. Paste in the text you copied at step 8, change the certificate template to “Web Server” > Submit.

12. Download the certificate.

13. Save it somewhere you can find it (the root of the C: drive is easiest, as you are going to be referencing it in a command shortly).

14. Job done, close the browser window.

15. Back at the Exchange Management Shell issue the following command:

[box] Import-ExchangeCertificate -Path c:the-name-of-your-cert.cer [/box]

As it imports it shows you the thumbprint of the certificate, mark this and copy it to the clipboard.

16. Now you have the certificate imported you can enable it, issue the following command:

[box] Enable-ExchangeCertificate -Services “SMTP,POP,IMAP,IIS” [/box]

It will ask you for the thumbprint > paste it in > when prompted enter “A” to confirm all.

17. That’s the job finished.

SBS2008 Unable to access Certificate Services

I’ve seen this on a few SBS2008 Servers, when you install the web enrolment service it installs into the servers “Default Web Site”, For any other Windows/Exchange combo that’s fine but SBS likes to do things its own way. It creates another web site called “SBS Web Applications” and uses that. That’s fine, but only one can be up and running at a time.

CertSrv The Webpage cannot be found

1. Warning: You are about to stop things like OWA briefly. From Administrative tools launch the Internet Information Services (IIS) Manager > Locate the SBS Web Applications site and click stop (right hand column) > then select the Default Web site and start it.

2. Select the CertSrv virtual directory.

3. You can now browse via http/https and this will open the site in your default browser. Don’t forget to stop the Default website, and restart the SBS Web Applications site when you are finished.

 

Related Articles, References, Credits, or External Links

NA

Cisco ASA 5500 – Using a Third Party Digital Certificate

(For Identification, AnyConnect, and SSL VPN)

KB ID 0000694

Problem

A client asked me how to do this, so off I went to the test bench to work it out.

Note: I’m this example In going to submit the request to, and issue the certificate from, my own windows domain certificate authority, you would send your request to a third party certificate authority, here’s a direct link to the certificate type you require. To use your own CA every client connecting to the ASA would need to trust this CA.

Solution

Certificates are date specific, so we need to make sure your firewall knows the correct date and time.

1. Connect to the ASA via ASDM > Configuration > Device Setup > System Time > Set the time and time zone correctly.

Note: As shown, from command line simply enter “show clock”.

2. Configuration > Device Management > Certificate Management > Identity Certificates > Add > New > Supply a key pair name > Generate Now.

Note: If using Digicert change the Key Size to 2048 or you will see this error, when you attempt to get your certificate.

Something is wrong
The CSR uses an unsupported key size, please generate a new CSR with a key size of at least 2048 bits
.

3. Select > Set each attribute, and add it one by one (as shown) > OK.

4. Advanced > Set the FQDN to the SAME name you entered for the CN in step 3 > OK > Add Certificate.

5. Choose a location to save the certificate request.

6. Locate and open the certificate request and it should look something like this.

Note: This is the information your certificate vendor will require.

7. Once your request had been processed the certification authority should send you a certificate. (Note: some vendors may send you a text file that you need to rename from filename.txt to filename.cer before it will look like this).

8. With the certificate open (as above) > Certificate path > Select the the Issuing Certificate Authority > Copy to File.

Note: You need to import the root certificates, and depending on the vendor, any intermediate certificates, I’ve shown an example from two major vendors to illustrate.

9. Select “Base-64 encoded…” > Next.

10. Save the cert somewhere you can find it.

11. Open it with notepad, and it should look like this > Select ALL the text.

12. Back at the ASDM > Configuration > Device Management > Certificate Management > CA Certificates > Add > Paste certificate in PEM format > Paste in the text > Install Certificate.

13. Repeat the process for any other RootCA or Intermediate Certificates. Then you will need to go back to step 8 and export the web certificate itself, (i.e. in this case select vpn.petenetlive.net and export that to file, and copy that from notepad to the clipboard).

14. Back in the ASDM this time you will need to install the Identity Certificate, (this is the one you paid for!) > Select the pending request from earlier > Install > Paste in the text > Install Certificate > Apply.

15. To enable the certificate on the outside interface > Configuration > Device Management > Advanced > SSL Settings > outside > Edit > Select the new one from the list > OK > Apply.

16. Note: If you were configuring your AnyConnect VPN’s later this is the point in the setup, where you would select the new certificate.

17. Make sure you can resolve the name that’s on the CN of your certificate and you can reach it from a client machine.

18. Now you should be able to connect without certificate warnings.

19. Don’t forget to save the settings on your ASA (File > Save Running Configuration to Flash).

Related Articles, References, Credits, or External Links

Securing Cisco SSL VPN’s with Certificates

Cisco ASA – Cannot Enable Third Party Certificate (9.4 and later)